0

My client's website was recently defaced and they are seeking was to mitigate this risk. They have a dedicated server running apache and mod_php. The website consists of three separate php applications installed in different folders (Customer portal script, wordpress and a custom database driven script). Their security audit recommended that each script be isolated so that if any of them was hacked, the other two would be safe from defacement etc. They also recommended using fast-cgi over mod_php. Suexec was also mentioned although its not clear why this was recommended.

Can someone please confirm if this makes sense and is actually possible/feasible. If so, what would be the best way to achieve the proposed security solution?

Michelle
  • 923
  • 5
  • 20
  • 30

2 Answers2

1

If so, what would be the best way to achieve the proposed security solution?

Best use virtual machine(KVM,OpenVZ,XEN,Jail) for each site or use chroot(mod_chroot,php-fpm).

bindbn
  • 5,211
  • 2
  • 26
  • 24
1

Using suPHP or suEXEC (+ fcgi/cgi) is a good decision for securing your server(separate the applications).

But to do this, you need to have different vhost for the each of those applications, let's say for ex.: app1.domain.com , app2.domain.com, app3.domain.com. If your site structure is like this above, there won't be a problem to setup 3 virtual hosts, using 3 different users/groups for serving the php(with the mentioned methods - suexec,suphp).

gryzli
  • 191
  • 3
  • It is not setup like this, each app is in its own folder, not subdomain. What can I do in this situation? – Michelle Oct 02 '10 at 07:17
  • In this case i don't know a way for isolating/separating the applications. But if it's a critical task, better try assign different domain names (subdomains). – gryzli Oct 02 '10 at 10:53